Circuit provided with a secure external access

ABSTRACT

The invention relates to a circuit IC comprising an microprocessor MIC and a set of peripheral devices comprising at least one communication interface UMI for external access. The peripherals PER, unlike the communication interface UMI, are connected to the microprocessor MIC by an interconnection bus BUS. The circuit also comprises a security module CR connected to the interconnexion bus BUS and to the communication interface UMI by a dedicated link DL.

This invention relates to a circuit provided with a secure externalaccess.

The invention relates to the field of programmable integrated circuits,mainly that of circuits used for conducting confidential transactions.

Such a circuit comprises a microprocessor and, in most cases, a cachememory, a cache memory controller and/or a memory management unit. Italso generally includes a non-volatile memory, one or several workingmemories, such as Random-Access Memory (RAM) or Read-Only Memory (ROM).It also includes, in most cases, other peripheral devices suited for theapplications that it is designed to implement.

On the other hand, the circuit comprises a communication interface forexternal access. In other words, this interface enables themicroprocessor to exchange data with any component located outside thecircuit.

The invention has a particularly advantageous application when thiscomponent is a memory. Indeed, it is common to attach an external memoryto the integrated circuit so that the users of this circuit can avail ofadditional memory space.

It is obvious that the contents of the external memory can be accessedby the microprocessor, but they can also be accessed by any other pieceof equipment. Thus, it is easy to read and even modify the data recordedin this memory. And yet, it is sometimes imperative for these contentsto be protected from any intervention from outside the circuit. This ismainly the case when the memories contain security-related information,such as a confidential access code or verification of a digitalsignature.

When loading a program in the external memory, it is provided that theintegrated circuit that receives this program from the outside verifiesits authenticity (identity of the issuing party) and its integrity (thatit has not been modified by any third parties) before saving it in thememory. This verification is normally carried out by means of anelectronic signature protocol.

It is practically impossible to apply this protocol every time theexternal memory is read by the integrated circuit, since this is anoperation that requires a considerable amount of processing power and istherefore very slow.

The object of the present invention is therefore to increase theprotection of this memory against unwanted access.

According to the invention, a circuit comprises a microprocessor and aset of peripheral devices including at least one communication interfacefor external access, in which these peripheral devices, unlike thecommunication interface, are connected to the microprocessor by aninterconnection bus; the circuit also comprises a security moduleconnected to the interconnection bus and to the communication interfaceby a dedicated link.

According to a preferred embodiment of the circuit, the communicationinterface is adapted to an external memory.

Advantageously, the security module comprises encryption means CR.

Preferably, the encryption means should use a private key.

It is desirable for the encryption key to be longer than the standardlength of the data processed by the microprocessor, therefore the lattercomprises means for breaking encrypted words down into standard-lengthdata.

If the circuit also comprises a cache memory associated to a controller,the security module is able to process the consecutive accesses of thiscontroller in order to break the encrypted words down intostandard-length data.

It is preferable for the encryption key to be stored in aone-time-programmable register, and this register can be saved in anon-volatile memory.

The present invention will be better understood with more detail in thecontext of the following description of a sample embodiment provided forillustrative purposes in reference to the appended figure, which shows adiagram of an integrated circuit according to the invention.

In reference to the figure, an integrated circuit IC comprises amicroprocessor MIC that is possibly connected to a cache memory and/orto a memory controller (not shown). It also comprises a communicationinterface UMI and, generally, other peripheral devices PER, such as anon-volatile flash memory, working random-access memory, etc.

According to the invention, the circuit also comprises a security moduleCR. A system bus BUS interconnects all the elements in the circuitexcept the communication interface UMI, and a dedicated link DL connectsthis interface UMI to the security module CR.

Outside the circuit there is a component MEM that can communicate withthe communication interface UMI, and the invention thus providesprotection for the data that pass through this interface by means of thesecurity module CR.

In this specific case, this component is an external memory MEM and thecommunication interface is preferably a universal memory interface UMI.

The security module CR can use various techniques for encoding ormodifying the data it receives from the microprocessor MIC through thesystem bus BUS before transmitting the data thus encoded to thecommunication interface UMI so that they do not appear clearly in theexternal memory MEM. It is obvious that this module can decode theinformation when it reads the data in this external memory MEM in orderto return them to the microprocessor MIC the same way as they wereprovided initially.

An advantageous solution consists in resorting to encryption means thatare provided preferably by the security module CR.

Thus, the data are encrypted before being saved in the external memoryMEM and they are then decrypted when they are read by the said memorybefore being sent over the system bus BUS.

It is therefore advisable to encode the data on the fly before storingthem in the external memory MEM.

The microprocessor MIC can process 8-, 16- or 32-bit data. Currently,access to external data is granted using words with a standard length of8, 16 or 32 bits. To secure such data requires 8-, 16- or 32-bitencryption respectively. In this case the encryption would be veryvulnerable, practically inefficient, if known algorithms are used.

It is therefore desirable to choose an algorithm that works with 64-bitdata, or even 128-bit whenever necessary. Selecting a standard algorithmmakes it possible to avoid additional constraints while guaranteeing amaximum level of security.

Algorithms with a private key will be given preference since theyrequire much less processing time than algorithms with public keys.

As an example, the following algorithms will be used:

-   -   AES (Advanced Encryption Standard), working with 128-bit keys        and currently providing maximum security,    -   DES (Data Encryption Standard), working with 64-bit keys, known        for being universally used in systems that are less demanding in        terms of security,    -   3DES (Triple Data Encryption Standard), or    -   XDES (Extended Data Encryption Standard), the latter two        algorithms are recommended for the most demanding systems in        terms of security, while ensuring high encoding rates at a low        cost.

The security module CR makes it possible to encrypt data that are longerthan the standard length. This module is designed for processing 64- or128-bit data, recorded as eight or sixteen 8-bit words, four or eight16-bit words, or else two or four 32-bit words respectively in theexternal memory MEM, therefore access to any of these data is dividedinto several 8-, 16- or 32-bit accesses respectively.

For this purpose, the security module CR is able to process grouped orconsecutive accesses of the microprocessor cache memory controller. Thiscache memory contains a partial copy of the external memory MEM, whichis updated depending on the part of the program being run by themicroprocessor MIC. Since the cache memory is very fast and very closeto the microprocessor MIC, it generally allows for an improvement of thecircuit's performance.

The data present in the cache memory is replaced by the cache controllerin packets. These packets have a minimum size of four 32-bit words,regardless of the size of the data processed by the microprocessor MIC.

It must be noted here that the cache memory can also be used by thecircuit for other purposes.

The controller can be required to write the data saved in the cachememory that relate to the external memory MEM in packets with a sizethat is a multiple of 64 bits.

The interface between the cache memory and the external memory MEM,which can only manage 8-, 16- or 32-bit accesses is set up in a simplemanner, breaking a 64-bit access down into eight 8-bit accesses, four16-bit accesses or two 32-bit accesses respectively.

In the case of 32-bit access, the DES or 3DES algorithm will be loadedevery two 32-bit words, while the AES algorithm will be loaded everyfour 32-bit words. The data are loaded on the fly. In the case of“pipeline” processing of the AES algorithm, in other words when completeprocessing of a piece of data in one or several cycles is able toreceive a new piece of data in each cycle, only the first accessintroduces a latency time in the total data transfer time.

The private key used by the algorithm is preferably stored in aso-called OTP register (One Time Programmable). If the integratedcircuit IC is provided with a non-volatile flash memory, this registercan be located there.

The example of an embodiment of the invention described above was chosendue to its concrete nature. It would not, however, be possible toexhaustively list all the possible embodiments of this invention.Particularly, all the described means can be replaced with equivalentmeans without departing from the scope of the present invention.

1-8. (canceled)
 9. An integrated circuit comprising a microprocessor anda set of peripheral devices including at least one communicationinterface for external access, wherein said peripherals, unlike saidcommunication interface, are connected to said microprocessor by aninterconnection bus on which the data length is equal to the standarddata length of the data processed by said microprocessor, saidintegrated circuit also comprising a security module connected to saidinterconnection bus and to said communication interface by a dedicatedlink, wherein the length of the data processed by the security module isgreater than the standard data length of the data processed by themicroprocessor, and the integrated circuit further comprises means foradapting the length of the data processed by the security module to thestandard data length.
 10. A circuit according to claim 9, wherein saidmeans for adapting the length of the data processed by the securitymodule to the standard data length includes a cache memory, associatedwith the microprocessor and provided with a cache memory controllerwhich, upon accessing the cache memory, causes it to transmit to thesecurity module data having a length equal to the standard data length,whereby the processing of the data by the security module is performedon the fly.
 11. A circuit according to claim 10, wherein, during theciphering of the data by the security module, the cache memory preparesdata having a length greater than the standard data length, whereby saiddata can be accepted at the input of the security module.
 12. A circuitaccording to claim 11, wherein, during the deciphering of the data bythe security module, the cache memory breaks the deciphered dataavailable at the output of the security module, which has a lengthgreater than the standard data length, into standard-length data.
 13. Acircuit according to claim 12, wherein the security module uses a secretkey algorithm which processes data having a length of at least 64 bits,and wherein the standard length of the data processed by themicroprocessor is less than 64 bits.
 14. A circuit according to claim13, wherein said secret key algorithm is the AES algorithm.